Good Morning All,

Hopefully someone can give me a clue as to how to accomplish something...

The situation is this:
The owner of a website I designed is traveling doing event presentations.
She is enlisting the help from current members in each city to help enroll New members through a special event signup form.
The path to the signup form is through the owner's admin log in, and then a link to the form page with no menu or access to anything else that would normally be accessible to the admin/owner.

Problem 1 - the helper can hit the back button to get to the admins page with all the menu links available, and I need to eliminate that.
Solution - open the event signup form in a new browser window and then go back to the original page and log out.
Creating Problem 2. - The script checks that you are logged in, and once the admin logs out, the form page requires login again.
Solution - Don't do the login check on the form page, so logging out won't create an issue..
Creating Problem 3 - The form page would then be accessible to anyone with the URL...

So, what I think would resolve this issue is to be able to do a check on the form page to see where they were to get to this page...
This in my mind would eliminate someone just surfing to this URL, but would ensure that they came from the admin page post log in, so we would know that they were logged in or they couldn't have gotten there.

Hope this makes sense, and that someone could give me some direction on accomplishing this.

OR, if you have a better, cleaner, safer, more effective means of accomplishing the goal, I'd be open to any suggestions.

Thanks in advance.
Douglas

Recommended Answers

All 5 Replies

Member Avatar for diafol

I think it's very unwise to allow admin priviledges to strangers. Idiotic actually.
You should set up a unique user in the DB. Then when this user (all the people who want to see a page), logs in, they are conditionally forwarded to the page.

This means you can write an easy couple of snippets without changing loas of structure:

So in your login receiving page - you can put this at the top

session_start();
if(isset($_POST['username']) && $_POST['username'] == 'magic' && isset($_POST['pass']) && md5("mysalt55" . $_POST['pass']) == '1304nfhw923624rb12837b1232dr6u89'){
    $_SESSION['special'] = true;
    header('Location: hidden/secret_page.php');
}
//maybe add error checking

In your new secret page:

session_start();
if(!$_SESSION['special'] && !$_SESSION['admin']){
    header("Location: ../index.php");
}

Well something like that anyway.

I just want you to know how RUDE, UNNECESSARY and UNACCEPTABLE your 'idiodic' statement was.

You obviously don't read very well, or you would have gathered that My question revolved around the avoidance of allowing any access to the Admin Priviledges...

I come here ans ask questions because the greatest majority of the folks on this site are helpful and courteous, but you are apparently NOT ONE OF THEM.

In the future, please try to refrain from responding to any of my posts.

Thanks
Douglas

Member Avatar for diafol

I apologise if my statement upset your sensibilities. It was an attempt to show you how wrong this approach was. It was not my intention to belittle you (I was not aware that you were the web dev - I did indeed misread - I assumed this was your boss's solution). I have helped you many times in the past (e.g. http://www.daniweb.com/web-development/php/threads/423212/query-to-get-data-and-update-at-one-time to which you didn't respond) but have no axe to grind. I have however provided, what I assume to be, a valid solution, so that may provide some solace to you. I will respect your wishes and never reply to your posts or try to help you again. Peace and goodwill,

diafol.

PS, just to show I'm not as bad as you think:

Here's a list of threads where I was apparently helpful to you - I may even have been courteous. I was known as ardav at the time:

http://www.daniweb.com/web-development/php/threads/323398/sessions-across-multiple-domains
http://www.daniweb.com/web-development/php/threads/331039/function-call-to-itself
http://www.daniweb.com/web-development/php/threads/336120/working-html-form-appears-blank-in-ie
http://www.daniweb.com/web-development/php/threads/351362/selectable-expanding-info-boxes
http://www.daniweb.com/web-development/php/threads/351549/more-mysql-than-php
http://www.daniweb.com/web-development/php/threads/353788/form-input-creating-erroneous-coordinates
http://www.daniweb.com/web-development/php/threads/393108/mathematical-calculation
http://www.daniweb.com/web-development/php/threads/404735/plug-in-reccomendations
http://www.daniweb.com/web-development/php/threads/414327/header-statement-suddenly-not-working
http://www.daniweb.com/web-development/php/threads/413223/set-specific-time-of-day-30-days-in-advance
http://www.daniweb.com/web-development/php/threads/412311/adding-minutes-to-datetime-field
http://www.daniweb.com/web-development/php/threads/422285/cleaning-form-input
http://www.daniweb.com/web-development/php/threads/416943/php-plug-in-availability
http://www.daniweb.com/web-development/php/threads/423212/query-to-get-data-and-update-at-one-time
http://www.daniweb.com/web-development/php/threads/422764/determining-current-page

And those are just the ones I tracked - must have spent a couple of hours helping you over this last year and not a single rep from you in all that time. :(

Better still - have a look at my stats - the ones which indicate how helpful / effective you are: http://www.daniweb.com/members/120589/diafol/comments, http://www.daniweb.com/stats/toplist/120589

diafol,
I do apologize for my rather curt response to your comment. When I read it, I just felt that it was very unnecessary to make that comment. You are right, I didn't recognize the name, and honestly didn't even realize that you were a moderator on the site.

I do however recognize your previous name, and have appreciated your responses to many of my queries in the past...

You make reference to 'not a singe rep from me'... what does that mean? Am I missing something?

I've often wished I could repay people for their assistance and direction when I have questions, but have never known of a way to do it.

Anyway, your response was what it took to send me in the right direction to resolve yet another issue.

I ended up creating the special admin account and the included header on every page checks for that login, and directs them to the page they need to be at without any access to any other admin function.

It worked great, and I thank you.

Please ignore my request that you refrain from responding to my questions, because if I remember right, I've received more assistance from you than anyone else, and probably more than the collective of other help.

Douglas

Member Avatar for diafol

That's OK Douglas, on reflection, the word 'idiotic' was strong - just my limited vocab unfortunately. 'Extremely unwise', should have sufficed.

With regard to me being a mod - that makes no difference at all. If a mod is rude, he's rude, no two ways about it. I shall endeavour to put more thought into my phrasing in future. It's even more important that I do that, now that I'm a mod and am representing DW.
So, we'll move on. Still happy to help.
d.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.